Only valid as a child of an all
rule. If its child is false, the
except is true.

The Field Rule

The field rule is the primary building block for a role-mapping expression.
It takes a single object as its value and that object must contain a single
member with key F and value V. The field rule looks up the value of F
within the user object and then tests whether the user value matches the
provided value V.

The value specified in the field rule can be one of the following types:

The realm that authenticated the user. The only field in this object is the realm name.

"realm": { "name": "ldap1" }

The groups field is multi-valued; a user can belong to many groups. When a
field rule is applied against a multi-valued field, it is considered to match
if at least one of the member values matches. For example, the following rule
matches any user who is a member of the admin group, regardless of any
other groups they belong to:

Path Parameters

name

(string) The distinct name that identifies the role mapping. The name is
used solely as an identifier to facilitate interaction via the API; it does
not affect the behavior of the mapping in any way. If you do not specify this
parameter for the Get Role Mappings API, it returns information about all
role mappings.

Request Body

The following parameters can be specified in the body of a PUT or POST request
and pertain to adding a role mapping:

enabled (required)

(boolean) Mappings that have enabled set to false are ignored when role
mapping is performed.

metadata

(object) Additional metadata that helps define which roles are assigned to each
user. Within the metadata object, keys beginning with _ are reserved for
system usage.

roles (required)

(list) A list of roles that are granted to the users that match the role-mapping
rules.

rules (required)

(object) The rules that determine which users should be matched by the mapping.
A rule is a logical condition that is expressed by using a JSON DSL.

Authorization

To use this API, you must have at least the manage_security cluster privilege.

Examples

To add a role mapping, submit a PUT or POST request to the /_xpack/security/role_mapping/<name> endpoint. The following example assigns
the "user" role to all users:

To retrieve a role mapping, issue a GET request to the
/_xpack/security/role_mapping/<name> endpoint:

GET /_xpack/security/role_mapping/mapping7

A successful call retrieves an object, where the keys are the
names of the request mappings, and the values are
the JSON representation of those mappings.
If there is no mapping with the requested name, the
response will have status code 404.